U.S. federal government

Is blockchain secure?

For public- and private-sector blockchain initiatives, blockchain technology must contend with technological, governance and regulatory challenges. For all its business transformational values, immutability, distributed transactions, cryptography, provenance, etc., pertinent issues around governance, advocacy, SmartContracts development, and securing blockchain applications at the edges still must be resolved for blockchain to garner mainstream adoption.

Part I of this two-part abstract describes IBM’s Global Business Services’ (GBS) cybersecurity perspective on aligning blockchain cybersecurity principles that use an enterprise risk-based approach to permissioned blockchain application development.

Part II depicts the use of the blockchain platform to build innovative cybersecurity solutions and services across multiple disciplines.

Part I: Blockchain Security Assurance

Governance Risk and Compliance – SmartContract Management

In an age of first-mover advantage, first-to-market institutions across all vertical industries ignore game-changing technologies at their peril. Conventional wisdom suggests that those who move quickly to embrace disruptive technologies benefit the most from them. Blockchains and distributed ledger technologies represent a paradigm shift, offering a single version of the truth across complex, disparate ecosystems and processes, thereby achieving shared business value, reducing cost, lowering risk and enabling new business models.

The technology dramatically expands access for new entrants into the global marketplace. Securing transactions is critical to adoption of the blockchain protocol. However, traditional approaches to managing blockchain-based application risks and maintaining security situational awareness largely remain unsolved. While there have been several exploits to blockchain applications to date, it is worth noting that the they were not on the blockchain technology itself, but rather targeted SmartContracts (business logic defined in code, intended to facilitate, verify, or enforce contract negotiation) and applications at the edges of blockchain networks.

Blockchain Cybersecurity Assurance

As organizations evolve and application development and deployment of blockchain technology proliferate, invariably applications, interfaces, and SmartContract complexity increases, thus increasing risk to blockchain applications. Therefore, there’s a need for comprehensive risk management and cybersecurity assurance programs for blockchain applications that support skilled cybersecurity professionals with strategy, governance, regulations, and compliance processes.

Blockchain application developers, together with development operations (DevOps) teams, must consider whether they have the right tools for security and privacy compliance. The industry, as a whole, must examine the security landscape to identify security risks, develop threat modeling tools, establish roadmaps to harden the security posture, and deploy technologies to mitigate risks.

Figure 1 below depicts a blockchain cybersecurity assurance model that addresses blockchain risks based on a domain-specific, risk-based defense methodology and cybersecurity implementation best practices:

 

Figure 1 Overview of blockchain security assurance services

 

  • SmartContract governance and risk assessment – Defining and aligning the security program to blockchain application and ecosystem DevOps by cybersecurity methodologies and NIST’s risk management frameworks;
  • Data security and privacy assessment – Analyzing blockchain application data sets, thus informing legal, policy and regulatory issues, on- and off-chain design considerations, liability and enforceability issues;
  • Key management – Implementing public key infrastructure and associated key management lifecycle management services, including certificate revocation, generation, destruction, etc.;
  • Blockchain application threat modeling and secure coding assessments – Analyzing blockchain network participant ecosystem design, securing micro-services: Service-to-service security; application programming interfaces; access controls; and business associate agreements;
  • Certification and accreditation and authority to operate blockchain business network – Understanding and applying risk-based procedures for evaluating, describing, documenting, testing, and authorizing blockchain applications and business networks;
  • Blockchain cybersecurity intelligence and operations – Continuously monitoring, detecting, analyzing, diagnosing, and mitigating threats to gain insights into the blockchain threat exposure and prevent incidents; and
  • Incident response – Developing incident response orchestration plan; effectively activating people, processes, and technologies to respond to and recover from security breaches impacting the confidentiality, integrity, or availability of enterprise blockchain applications.

 About the author

Adewale Omoniyi is a senior managing consultant, biometrics and cybersecurity, IBM Global Business Services (GBS). He leads IBM U.S. Federal’s healthcare cybersecurity initiatives and GBS’s public service blockchain initiatives. Adewale earned his M.B.A. in strategy and global business at New York University and his undergraduate degree in management and information systems from Temple University. His cybersecurity certifications include CISSP, CISM, and CRISC.

Senior Managing Consultant, Biometrics and Cybersecurity, IBM Global Business Services

More U.S. federal government stories

Building Long-Term Career Viability in an AI-World: A C-Suite Q&A with Bryn Mawr College’s Associate Dean Katie Krimmel

Preface:  Between 2000 and 2010, of the approximate 5.6m lost US manufacturing jobs, 85 per cent of these losses were attributable to technological change — largely automation.[1] With one forecast stating that robots could replace 800 million jobs by 2030[2], Dr. Krimmel shares her top three recommendations to build a sustainable career in an AI […]

Continue reading

From Just Another AI Pilot to Scaled Production: The Missing Links to Convert Ideas to Economic Value for Fortune 500 Companies

While 81% of Fortune 500 CEOs have recently cited artificial intelligence and machine learning as either very important or extremely important to their company’s future, up from just 54% in 2016*; many well-intended AI pilots continue to struggle with scaling and securing C-Suite business outcomes. In this Q&A, HBS Professor Prithwiraj Choudhury explains two crucial […]

Continue reading

Humanizing the tolling industry!

Have you noticed that tolling solutions are not evolving? Once a tolling solution is put into an operation, it is hardly improved during the following years. Governments have been transforming from eGovernment via Digital Government to Cognitive Government. But tolling solutions? Even a new mobile app supporting a tolling operation would make an industry news […]

Continue reading